If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

HOWTO : Surf anonymous with TOR and onion routing

1. Introduction
2. What's TOR?
3. Secure, but how secure actually??
4. What's Privoxy?
5. Let's install it
6. Let's configure it
7. How do I use it?
8. How can I tweak it?
9. References

===========================================

1. Introduction

Well, we all know that security has become a very important aspect of the internet, maybe the most
important medium the world is relying on these days. It maybe stating the obvious to you guys over again about what we are protecting ourselves against out there: all the bad things that go bump in the night. Or you're an admin trying to defend his precious serverfarm. Or you're, maybe were, that person with malicious-intentions once, trying to fsck over that admin and his serverfarm. Anyways, "The Thin Red Line" shouldn't be a movie about war, but should be a movie about the thin border between hacking/cracking and securing. At least, that's my belief. One example of a technology that becomes more and more important, and is actually a nice example of that thin red line is anonymity on the internet. We all like to hide out there. Certainly when doing our stuff, no matter if it's a hacker/cracker trying to disguise himself from getting traced or to a federal agent trying to frame some criminal without giving away his federal identity. Everyone has his reasons to get anonymous. The morality of doing so is the topic of another discussion.

In this tutorial I'd like to show you guys what a nice example of anonymizing on the internet is, and how you can use it. Now I've seen a few threads on this subject, but no tutorial or HOWTO use/install it. If you already use it, the better; if you don't, then this might get interesting for you.

I'd like to show how you can hide effectively out there with the use of TOR (Onion routing) and a proxy. In this case Privoxy. Don't shoot me with all the manuals and the RTFM people should do. I know there are other tuts around but I thought it was to introduce it here. Hope you like it.

2. What is TOR ?

TOR is actually an anonymizing system that uses onion routing to hide and encrypt data in such way that it hides the source. First, I'll explain briefly IP to enlight this technology. The internet makes use of mostly IP to route packets between a source and destination. Every packet contains a header and a payload area. Now I'm not going into detail about the header but the header contains amongst others 2 fields, namely "source ip" and "destination ip". These get filled in by the nodes at the end (e.g., your pc and a webserver).

Also, you need to know that in a normal sequence these fields NEVER change. I hear you thinking about IP spoofing now. Well if so, you're kinda on the right track, except it's not actually IP spoofing that the onion routing does. The TOR-client sets up a session with the nearest onion-router of the meshed onion-router-network. Then, it tries to make a random path OVER all these onion routers towards the destination you want to reach. This path is encrypted over virtual tunnels between the onion routers. Every onion router only sees the source ip of the router it got data from, meaning no onion-router ever knows the whole path.

Now comes the beauty of it. When you reach the last hop (meaning the last onion router) before the destination, this last hop changes the source ip of the previous router and replaces it with its own ip and also decrypts the data, wehereafter it sends it to the destination. This means that the last onion router will be seen as the source IP rather that your actual IP address. That last router only changes back the ip of the server it got data from and the data hops back to you back to you, back over the virtual encrypted tunnel. These tunnels are random and change every given time, so it could be that you seem to be coming from Australia and 5 minutes later from Finland. I'll demonstrate this later.

3.Secure, but how secure actually??

Well, this might invoke an interesting discussion, as I will try to explain the security that's used throught TOR. I will also try to shed some light on the possible flaws that might exist as well. First off, let me put a statement: "TOR is an implementation that uses Onion routing". The Onion routing itself gets its name from the "ONION-alike" data structures it creates and sends throughout its network. This is a technique to ensure a route is created and yet, every router only will know the previous router to itself and its next router. Every shell of the onion exists at 2 layers: 1 encryption layer and 1 data layer, which contains the necessary data of the next hop, like the IP address. Every hop (onion router) sees the request come in with the IP of the previous hop, It will then decrypt the first layer to get to its second layer of data. It then passes the onion to the IP address it found. In the heart of the onion is the data found which will be passed in clear-text from the last hop to the destination. This should give a general idea of the structure of the onion.

Now onto the encryptions. The encryptions used in the encryption-layers are PKI-based (Public Key Infrastructure). This technique was used in early implementations, and is actually vulnerable to a specific attack: Man-in-the-Middle. Basically, the attacker can insert himself between two points, and capture the traffic. Once enough traffic is capture it can be decrypted at a later time and eventually, the keys used could be discovered.

Therefore, TOR (the latest implementation) uses DIffie-Hellman key exchange, considered as a safe PKI, and Perfect Forwarding Secrecy (PFS). These keys are only used during the lifetime of the virtual connections, much like a session key. The Diffie-Hellman is a key exchange method based on computing together a preshared key, which will be used for further encryptions of the communication. For a more in-depth view of Diffie-Hellman, please check the references list on the bottom. Now this key exchange is combined with PFS.

PFS ensures that the compromise of a single key permits access only to data that is protected by it, not necessarily to the entire communication

So, the PFS ensures that a key used to protect transmission data, can never be used as a key to setup a new key. In this case the DH-keying, and vice versa.
Although these things look pretty secure, and mostly they are, there are as always exceptions. For example I'd like to point you to Here for an advisory of August 2005 on TOR.

4. What is PRIVOXY ?

Privoxy is simply a proxy program that can be used as to relay the traffic. In this case we will use it as an addition on the TOR for extra anonymity, such as changed User-Agents, pop-up-blocker, etc ... For those who don't know what a proxy is: a proxy is a server that sits between one computer system and another. (e.g., your browser and a web server). Your browser makes a request to the proxy, and the proxy effectively gets the data and passes it back to you. Proxies are widely used for several implementations. Now, some of you will say, "Why not just use a free open proxy and we're set?" That's another way in anonymizing but open anonymous proxies are mostly very slow and unreliable when free. Also, they are not randomizing like TOR nor will they (mostly) encrypt your data.

5. Let's install it ...

I am using Slackware 10.2 at this time and will use this distro for the demonstration. I also use Mozilla Firefox for my browser and Xchat as my irc client. Other package handlers might even be easier. There even are Windows and MacOSX packages available. If you really need help on that I suggest that you first go and read the manual of your OS and/or package handler. I might be able to help out on other OS-es over IRC (check my signature for irc). So now open a console-window and head to root (su).

The slackpack also made a nice startupscript for you and can be found at /etc/rc.d/rc.privoxy. So check if it starts well.

Code:

#/etc/rc.d/rc.privoxy start

That should be it. All necessary packages should be installed now. If you have problems installing or with the runscripts, contact me through pm or rather on irc. I'll help you out.
Now let's move on to configuring ....

Tor has a pretty solid default configuration, so we can leave that one alone. There is one configuration thing we need to do though, and that's to point the Privoxy towards the TOR-engine. We will need to filter the browser request through the Privoxy proxy filters. Then we can safely pass that result towards the TOR-engine which will initiate the rest of the connection.

I made a little page that will show you how to set your browser settings. And let's you see if you're hidden or not. If you configured all well you should be able to surf the net, and then you can surf to Here . Now, you see your current public IP. That's for browsing, ftp connections and http over ssl-connections. (also see section 5 if you forgot the browser-configurations )

Now onto xchat, that means IRC of course.
Go into your irc-client, in my case xchat and follow the next sequence :

Connect and wait and see yourself evading those .... errmmm your anonymity ...
It's possible though that if you get detected using TOR on IRC you might get asked not to use the TOR because of it's a hard to ban an TOR-client :P

So that's it on how to use it. An ethical point, however: while it's good to be anonymous, as most of us know, as do hackers/crackers/trolls/ogres know these techniques and have known them a very long time. Use the knowledge wisely; don't abuse it. Anyway thats up to yourself.

8. How do I tweak it ?

Well, I told you the tweaking concerning browsing and the ircing. Other programs are similar.
If the program has an option to use a proxy server you're set. But I'm sure you will be clever enough to figure those out yourself.

- The TOR-client doesn't need much tweaking, but you can tweak it further if you want. Therefore modify /usr/local/etc/torrc.
- The Privoxy can be tweaked much more to your needs. To do this, do the following steps:
- Invoke a 404, for.ex. browse to http://www.test.test/ ( dunno another way to access it good, if you know contact me)
- You should see the proxy page now
- Go to "view and edit current configuration"
- click view and/or edit /etc/privoxy/default.action
- You'll see three main modes "Cautious, medium and Adventuresome"
- I choose Medium and then clicked edit to modify the hide-user-agent entry (always fun )

Anyway lots of options to tweak and places to see, all anonymously now,

And the encryption between the nodes is merely a courtesy, nothing that you can consider confidential.

edit

Hang on a sec... how can public key cryptography be in place if the first node can't know where a request is going to be traveling? Unless the first node encrypts it so only the last node can decrypt it, all the nodes in between will have access to the data (otherwise, why randomize the path if node 1 knows where the last node is?)

I remember using this back in the day for exploit scanning. Now Im older and wiser, that and my ISP blocks you based on traffic. Probibly for the better, Ive crossed from dark jedi to white........ or grey if you will.

This is a nice tutorial. Any chance of expanding on it for those users who aren't *nix-savvy? I know that a large portion of this sites visitors are probably not regular *nix users.

"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --SpafAnyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

Hang on a sec... how can public key cryptography be in place if the first node can't know where a request is going to be traveling? Unless the first node encrypts it so only the last node can decrypt it, all the nodes in between will have access to the data (otherwise, why randomize the path if node 1 knows where the last node is?)

From the tut :

This path is encrypted over virtual tunnels between the onion routers. Every onion router only sees the source ip of the router it got data from, meaning no onion-router ever knows the whole path.

I've looked up that part for you on the tor-site to confirm what i'd explained.

The client negotiates a separate set of encryption keys for each hop along the circuit to ensure that each hop can't trace these connections as they pass through.

I'd write a tutorial on how to install it on Windows, but it's so easy that it doesn't require one (maybe Gore feels like writing one ):

Be careful what you wish for :P

On the speed question, the speed seems to vary too for me. Sometimes speeds are very acceptable while not interesting at other moments. If you e.g. only need to use it for *important* stuff, i find the speeds pretty acceptable.
Anyway TheHorse13 also pointed me out that there could be instances that can track-back. Just to let you know ...

[EDIT]
Oh and besides Negative, in your windows tut-add-on you forgot to mention the last step. A reboot
[/EDIT]

Yes, TOR offers encryption, not a 100% safe way to hide the source of the traffic. It was developed so that programmers could share data, not to hide l33tHax0rz.

Anyway TheHorse13 also pointed me out that there could be instances that can track-back...

Not "could". There *are* ways to track back the traffic source. However, most rubes on the intarweb are not bright enough to do it. This will change when an automated tool hits the web and then everyone can start tracing the origin of TOR traffic. Hint, hint.

Thanks for the honorable mention Raiden.

--TH13

Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden